Vulnerability Description
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful exploitation allows an attacker to enumerate valid email addresses registered for the application, increasing the risk of follow-up attacks such as password spraying.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liquidfiles | Liquidfiles | < 4.2.0 |
Related Weaknesses (CWE)
References
- https://docs.liquidfiles.com/release_notes/version_4-2-x.htmlRelease Notes
- https://www.liquidfiles.com/updates/v4.2.htmlRelease Notes
FAQ
What is CVE-2025-56132?
CVE-2025-56132 is a vulnerability with a CVSS score of 7.3 (HIGH). LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, ...
How severe is CVE-2025-56132?
CVE-2025-56132 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-56132?
Check the references section above for vendor advisories and patch information. Affected products include: Liquidfiles Liquidfiles.